Are you investing your cybersecurity budget in the most appropriate place, or are you being guided by what you see in the headlines?
Cybersecurity speaker Bruce Schneier once gave a great Tedx talk on perceived versus actual risk. The basic message was that we spend a disproportionate amount of time worrying about relatively small risks, while not looking at the bigger ones. Bill Gates put it more succinctly back in June, when he tweeted about the “fear instinct that distorts our perspective:”
I’m always amazed by the disconnect between what we see in the news and the reality of the world around us. As my late friend Hans Rosling would say, we must fight the fear instinct that distorts our perspective: https://t.co/uQRofM4q2u pic.twitter.com/SzXDFr4clj
— Bill Gates (@BillGates) June 11, 2019
He pointed to research showing that you’ll see roughly 35% of media stories focusing on causes of death citing terrorism (which fewer than 0.01% of people in the US die from) while running only 2.5% of stories about heart disease, which accounts for 30% of deaths each year. Some risks are sexier than others. You don’t see many Hollywood movies in which Tom Cruise advocates half an hour of daily moderate exercise, reducing greasy foods, and cutting down on sugary drinks.
The same is true in cybersecurity. You should invest in protecting yourself from hackers, especially if you’re in a high-risk industry like financial services, retail, healthcare, or government. But compromise is likely to come from distracted poorly educated employees or a year-old, already-patched vulnerability in unpatched software as from some carefully crafted zero-day sent by an elite spy unit.
Several surveys point this out to varying degrees. Security company Egress, analyzing 4,856 personal data breach reports from the ICO, recently found that 60% of them were down to human error (the company does this regularly). This suggests that some solid training and focus on process is at least as important as shelling out money on the latest exciting-sounding AI-powered cybersecurity tool.
Security shouldn’t be about who shouts loudest or comes up with the sexiest-sounding name for an existing form of attack that has been around for decades. Techniques like ‘pretexting’ (basic social engineering) or advanced persistent threats (good old hacking) spring to mind. It should be about comprehensive risk analysis that examines different cybersecurity risks, the likelihood that attackers will use them to target your type of company, and their potential impact. By ignoring the never-ending rounds of cybersecurity theater and focusing on relevant, real-world risk, companies can multiply the effect of their cybersecurity budget.
